Full Report
How It Works 1. IOC Extraction from Threat Reports Uncoder AI automatically parses structured threat reports to extract: Domains and subdomains (e.g., mail.zhblz.com, doc.gmail.com.gyehdhhrggdi…) URLs and paths from phishing and payload delivery servers Related IPs, hashes, and filenames (seen on the left) This saves significant manual effort compared to copying and normalizing IOCs from multiple […] The post IOC-to-Query Generation for Google SecOps (Chronicle) in Uncoder AI appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: IOC-to-Query Generation for Google SecOps (Chronicle) in Uncoder AI
## Overview
This functionality, integrated into the SOC Prime Uncoder AI platform, automates the process of converting Indicators of Compromise (IOCs) extracted from threat reports directly into executable Unified Data Model (UDM) search queries specifically formatted for Google SecOps (Chronicle). This speeds up threat hunting and investigation workflows.
## Technical Details
- Type: Tool/Feature (Within Uncoder AI platform)
- Platform: Google SecOps (Chronicle) for query execution; Uncoder AI for processing/generation.
- Capabilities: Automated IOC extraction from threat reports, conversion to UDM search syntax, rapid deployment of threat intelligence for detection and hunting.
- First Seen: May 23, 2025 (based on article publication date)
## MITRE ATT&CK Mapping
Since this tool facilitates hunting based on external intelligence rather than detailing adversary execution, it primarily maps to the **Tactic: Command and Control** or **Collection** phase through the lens of defensive actions.
- **TA0011 - Command and Control** (Potentially, if related to blocking C2 infrastructure identified via IOCs)
- **T1048 - Exfiltration Over Alternative Protocol** (Indirectly, by hunting for C2 activity)
- **TA0005 - Defensive Evasion** (Indirectly, by improving detection capabilities)
*Note: Direct primary mapping is difficult as this is a defensive tooling feature. It accelerates Tactic: Detection & Response.*
## Functionality
### Core Capabilities
- **IOC Extraction from Threat Reports:** Automatically parses structured threat intelligence reports to identify and pull out common IOC artifacts.
- **Auto-Formatted UDM Query Generation:** Converts extracted IOCs (Domains, Subdomains, URLs, Paths) into the necessary UDM query language structure recognized by Google Chronicle.
### Advanced Features
- **Domain/Subdomain Extraction:** Specifically targets indicators like `mail.zhblz.com` and obfuscated subdomains (e.g., `doc.gmail.com.gyehdhhrggdi…`).
- **URL and Path Extraction:** Captures indicators related to phishing or payload delivery infrastructure.
- **Operational Efficiency:** Bridges the gap between threat intelligence consumption and SIEM/XDR utilization, reducing manual query writing time.
## Indicators of Compromise
The article focuses on the *process* of generating queries from IOCs, not listing specific IOCs, but the expected types extracted are:
- File Hashes: [Not explicitly mentioned, but generally parsable]
- File Names: [Not explicitly mentioned]
- Registry Keys: [Not explicitly mentioned]
- Network Indicators: Domains, Subdomains, URLs, and Paths (e.g., `mail[.]zhblz[.]com`, `doc[.]gmail[.]com[.]gyehdhhrggdi…`)
- Behavioral Indicators: [Not applicable to the tool itself, but hunting rules generated would target them]
## Associated Threat Actors
- This tool is used by defensive teams (SOC analysts, Detection Engineers) leveraging threat intelligence.
- No specific threat actors are *using* this tool; rather, it helps *detect* actors based on shared intelligence.
## Detection Methods
Detection relies on the underlying threat intelligence being fed into Uncoder AI, but the adoption of this feature implies dependency on:
- **Signature-based detection:** Generation of Chronicle Detections based on imported IOCs.
- **Behavioral detection:** Using the generated UDM queries to hunt for adversary behavior associated with the extracted IOCs within the Chronicle environment.
- **YARA rules:** [Not specified in context]
## Mitigation Strategies
Mitigation is achieved by using the tool to rapidly create threat detections:
- **Prevention measures:** Implementing network blocks/DNS sinkholes based on IOCs immediately converted to Chronicle rules.
- **Hardening recommendations:** Ensuring Google Chronicle is properly configured to ingest UDM data for effective searching using the generated queries.
## Related Tools/Techniques
- **Uncoder AI:** The parent platform hosting this functionality.
- **Google SecOps (Chronicle):** The target security platform where the queries are executed.
- **UDM (Unified Data Model):** The query language standard utilized.
- **Sigma/YARA:** Other common formats for threat detection rules that SOC Prime often integrates with.